Scribd
Upload
71 views4 pages

Untitled File

This document provides a sample VPN tunnel configuration template for Cisco IOS-based devices to connect an on-premises network to an Azure virtual network via IPsec VPN tunnels. It includes sections for network parameters, IPsec/IKE settings, optional BGP configuration, ACL rules, IKE phase 1 settings, IPsec phase 2 settings, tunnel interface configuration, and static routes. Administrators need to replace placeholder values like interface numbers and IP addresses with their actual values.

Uploaded by

Daniela Herrera
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
71 views4 pages

Untitled File

This document provides a sample VPN tunnel configuration template for Cisco IOS-based devices to connect an on-premises network to an Azure virtual network via IPsec VPN tunnels. It includes sections for network parameters, IPsec/IKE settings, optional BGP configuration, ACL rules, IKE phase 1 settings, IPsec phase 2 settings, tunnel interface configuration, and static routes. Administrators need to replace placeholder values like interface numbers and IP addresses with their actual values.

Uploaded by

Daniela Herrera
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

!

Microsoft Corporation
! ------------------------------------------------------------------------------
! Sample VPN tunnel configuration template for Cisco IOS-based devices
!
! ##############################################################################
! !!! Search for "REPLACE" to find the values that require special
! !!! considerations
! !!!
! !!! (1) ACL/access-list rule numbers
! !!! (2) Tunnel interface number
! !!! (3) Tunnel interface IP address
! !!! (4) BGP routes to advertise (if BGP is enabled)
! !!! (5) BGP peer IP address on the device - loopback interface number
! ##############################################################################
!
! [0] Device infomration
!
! > Device vendor: Cisco
! > Device family: IOS-based (ASR, ISR)
! > Firmware version: IOS 15.1 or beyond
! > Test platform: Cisco ISR 2911, version 15.2
!
! [1] Network parameters
!
! > Connection name: VPN-HEC45-LMI-04
! > VPN Gateway name: 57080077-bd59-4bb9-9a9c-100bc6af0c67
! > Public IP addresses:
! + Public IP 1: 20.124.122.8
! > Virtual network address space:
! + CIDR: 10.10.100.0/22
! - Prefix: 10.10.100.0
! - Netmask: 255.255.252.0
! - Wildcard: 0.0.3.255
! > Local network gateway: LNG-HEC45-LMI-04
! > On-premises VPN IP: 200.113.106.156
! > On-premises address prefixes:
! + CIDR: 10.10.10.0/24
! - Prefix: 10.10.10.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.20.0/24
! - Prefix: 10.10.20.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.21.0/24
! - Prefix: 10.10.21.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.30.0/24
! - Prefix: 10.10.30.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.31.0/24
! - Prefix: 10.10.31.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.51.0/24
! - Prefix: 10.10.51.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.60.0/24
! - Prefix: 10.10.60.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.61.0/24
! - Prefix: 10.10.61.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.62.0/24
! - Prefix: 10.10.62.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.63.0/24
! - Prefix: 10.10.63.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.70.0/24
! - Prefix: 10.10.70.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.71.0/24
! - Prefix: 10.10.71.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.72.0/24
! - Prefix: 10.10.72.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 10.10.81.0/24
! - Prefix: 10.10.81.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
! + CIDR: 192.168.102.0/24
! - Prefix: 192.168.102.0
! - Netmask: 255.255.255.0
! - Wildcard: 0.0.0.255
!
! [2] IPsec/IKE parameters
!
! > IKE version: IKEv2
! + Encryption algorithm: aes-cbc-256
! + Integrityalgorithm: sha1
! + Diffie-Hellman group: 2
! + SA lifetime (seconds): 3600
! + Pre-shared key: cFw1HQsoqt5ptN+eMArFBHsFncsOL8fe
! + UsePolicyBasedTS: False
!
! > IPsec
! + Encryption algorithm: esp-gcm 256
! + Integrity algorithm:
! + PFS Group: none
! + SA lifetime (seconds): 3600
!
! [3] BGP parameters - Azure VPN gateway
!
! > Azure virtual network
! + Enable BGP: False
! + Azure BGP ASN: VNG_ASN
! > On-premises network / LNG
! + On premises BGP ASN: LNG_ASN
! + On premises BGP IP: LNG_BGPIP
!
! ------------------------------------------------------------------------------
! ACL rules
!
! Some VPN devices require explicit ACL rules to allow cross-premises traffic:
!
! 1. Allow traffic between on premises address ranges and VNet address ranges
! 2. Allow IKE traffic (UDP:500) between on premises VPN devices and Azure VPN
gateway
! 3. Allow IPsec traffic (Proto:ESP) between on premises VPN devices and Azure VPN
gateway

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.3.255


access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.21.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.30.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.31.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.51.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.60.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.61.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.62.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.63.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.70.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.71.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.72.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 10.10.81.0 0.0.0.255 10.10.100.0 0.0.3.255
access-list 101 permit ip 192.168.102.0 0.0.0.255 10.10.100.0 0.0.3.255

! ==============================================================================
! Internet Key Exchange (IKE) configuration
! - IKE Phase 1 / Main mode configuration
! - Encryption/integrity algorithms, Diffie-Hellman group, pre-shared key

crypto ikev2 proposal VPN-HEC45-LMI-04-proposal


encryption aes-cbc-256
integrity sha1
group 2
exit

crypto ikev2 policy VPN-HEC45-LMI-04-policy


proposal VPN-HEC45-LMI-04-proposal
match address local 200.113.106.156
exit

crypto ikev2 keyring VPN-HEC45-LMI-04-keyring


peer 20.124.122.8
address 20.124.122.8
pre-shared-key cFw1HQsoqt5ptN+eMArFBHsFncsOL8fe
exit
exit

crypto ikev2 profile VPN-HEC45-LMI-04-profile


match address local 200.113.106.156
match identity remote address 20.124.122.8 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
keyring local VPN-HEC45-LMI-04-keyring
exit

! ------------------------------------------------------------------------------
! IPsec configuration
! - IPsec (or IKE Phase 2 / Quick Mode) configuration
! - Transform Set: IPsec encryption/integrity algorithms, IPsec ESP mode

crypto ipsec transform-set VPN-HEC45-LMI-04-TransformSet esp-gcm 256


mode tunnel
exit

crypto ipsec profile VPN-HEC45-LMI-04-IPsecProfile


set transform-set VPN-HEC45-LMI-04-TransformSet
set ikev2-profile VPN-HEC45-LMI-04-profile
set security-association lifetime seconds 3600
exit

! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
! other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface number and APIPA IP address below
! * In active-active configuration, there will be two tunnel interfaces below

int tunnel 11
ip address 169.254.0.1 255.255.255.252
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 200.113.106.156
tunnel destination 20.124.122.8
tunnel protection ipsec profile VPN-HEC45-LMI-04-IPsecProfile
exit

! ------------------------------------------------------------------------------
! BGP configuration
! - BGP configuration if enabled for the connection
! * REPLACE: Loopback interface number(s)
! * REPLACE: Local routes and netmasks to advertise - LOCAL_ROUTE and LOCAL_MASK

! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s)

ip route 10.10.100.0 255.255.252.0 Tunnel 11

You might also like